establishing a metrics management...

9

Establishing a MetricsManagement System

Don’t work harder—work smarter.—Ken Blanchard

CHAPTER OBJECTIVE

This chapter, “Establishing a Metrics Management System,” is designed to provide basic guidance necessary for the development of a metricsmethodology to understand what, why, when, and how InfoSec can bemeasured. Using the fictitious company (IWC) and functions that were previously described, a metrics system will be developed. It includes a discussion of how to use the metrics to brief management, justify budget, and use trend analyses to develop a more efficient and effectiveCIAPP.

INTRODUCTION

Some of the most common complaints ISSOs make are that managementdoesn’t support them, and—as the famous comedian Rodney Dangerfieldis known for saying—“I get no respect.” Another complaint is that the costand benefits of InfoSec cannot be measured.

As for the first two, you get support because you are being paid—andthese days, more often than not, quite handsomely—and you have a budgetthat could have been part of corporate profits. Furthermore, respect isearned. Besides, if you want to be popular, you are definitely in the wrongprofession.

One often hears management ask:

• “What is all this security costing me?”• “Is it working?”• “Can it be done at less cost?”• “Why isn’t it working?”

195

Ch09.qxd 6/7/03 4:14 PM 95

That last question often comes right after a successful denial ofservice attack or some other attacks on the corporate systems or Web sites.Of course, many ISSOs respond by saying that it can’t be measured. Thatis often said out of the ISSO’s ignorance of processes to measure costs orbecause the ISSO is too lazy to track costs.

The more difficult question to answer is, “What are the measurablebenefits of a CIAPP and InfoSec functions that provide support under theCIAPP?” Of course, one could always use the well-worn-statement, “It canonly be measured as a success or failure depending on whether or not therehave been successful attacks against our systems.” The truth is that manyattacks go unnoticed, unreported by the users or IT people. Furthermore,separating attacks from “accidents” (human error) is usually not easy;however, metrics can help in the analyses.

What Is a Metric?

To begin to understand how to use metrics to support management of aCIAPP, it is important to understand what is meant by “metrics.” For ourpurposes, a metric is defined as a standard of measurement using quanti-tative, statistical, and/or mathematical analyses.

What Is an InfoSec Metric?

An InfoSec metric is the application of quantitative, statistical, and/ormathematical analyses to measuring InfoSec functional trends and work-load—in other words, tracking what each function is doing in terms oflevel of effort (LOE), costs, and productivity.

There are two basic ways of tracking costs and benefits. One is byusing metrics relative to the day-to-day, routine operations of each InfoSecfunction. These metrics are called level of effort (LOE) and are the basicfunctions noted in the ISSO’s charter of responsibilities and accountabil-ities. Examples would be daily analyses of audit trail records of a firewall;granting users access to systems; and conducting noncompliance inquiries.In more financial terms, these are the recurring costs.

The other way of tracking costs and benefits is through formal projectplans. In other words, if the tasks being performed are not the normal LOEtasks, then they fall under projects. Remember that functions are never-ending, daily work, while projects have a beginning and ending date witha specific objective. In more financial terms, these are the nonrecurringcosts.

So, in order to efficiently and effectively develop a metrics manage-ment program, it is important to establish that philosophy and way of

196 The Information Systems Security Officer’s Guide

Ch09.qxd 6/7/03 4:14 PM Page 196

doing business. Everything that an ISSO and staff do can be identified asfitting into one of these two categories: LOE or project.

What Is InfoSec Metrics Management?

InfoSec metrics management is the managing of a CIAPP and relatedInfoSec functions through the use of metrics. It can be used where man-agerial tasks must be supported for such purposes as backing the ISSO’sposition on budget matters, justifying the cost-effectiveness of decisions,or determining the impact of downsizing on providing InfoSec service andsupport to customers.

The primary process to collect metrics is as follows:

• Identify each InfoSec function1;• Determine what drives that function, such as labor (number of people

or hours used), policies, procedures, and systems; and• Establish a metrics collection process. The collection process may be

as simple as filling out a log for later summarization and analysis.The use of a spreadsheet that can automatically incorporate InfoSecstatistics into graphs is the preferred method. This will make it easierfor the ISSO to use the metrics for supporting management decisions,briefings, etc.

The decision to establish a process to collect statistics relative to aparticular InfoSec function should be decided by answering the followingquestions:

• Why should these statistics be collected?• What specific statistics will be collected?• How will these statistics be collected?• When will these statistics be collected?• Who will collect these statistics?• Where (at what point in the function’s process) will these statistics

be collected?

By answering these questions for each proposed metric, the ISSO canbetter analyze whether or not a metrics collection process should be estab-lished for a particular function. This thought process will be useful inhelping explain it to the InfoSec staff or management, if necessary. It willalso help the ISSO decide whether or not the ISSO should continue main-taining that metric after a specific period of time. Since the IWC ISSO had

Establishing a Metrics Management System 197

1 It is assumed each function costs time, money, and use of equipment to perform.

Ch09.qxd 6/7/03 4:14 PM Page 197

begun with an analysis of InfoSec requirements (drivers) that led to iden-tification of an ISSO charter that led to the identification of InfoSec func-tions with process flowcharts, the task of developing metrics will be mucheasier. That is because each step noted in the InfoSec functions’ flowchartscan be a point of quantifying and qualifying costs of performing that specific function.

All metrics should be reviewed, evaluated, and reconsidered for con-tinuation at the end of each year, or sooner—when a requirement changes,a function may also change. Remember that although the collection of themetrics information will help the ISSO better manage the InfoSec dutiesand responsibilities, a resource cost is incurred in the collection and main-tenance of these metrics. These resources include:

• People who collect, input, process, print and maintain the metricsfor you;

• Time to collect, analyze and disseminate the information; and• The hardware and software used to support that effort.

When using these metrics charts for management briefings, one mustremember that the chart format and colors are sometimes dictated by man-agement; however, which type of chart is best for analysis or presentationto management is probably up to the ISSO.

The ISSO should experiment with various types of line, bar, and piecharts. The charts should be kept simple and easy to understand. Remem-ber the old saying, “A picture is worth a thousand words.” The chartsshould need very little verbal explanation.

If the ISSO will use the charts for briefings, the briefing should onlycomment on the various trends. The reason for this is to clearly and con-cisely present the material, and not get bogged down in details whichdetract from the objective of the charts.

One way to determine whether the message of the charts is clear isto have someone look at each chart and describe what it tells them. If it iswhat the chart is supposed to portray, then no changes are needed. If not,the ISSO should then ask the viewer what the chart does seem to repre-sent and what leads them to that conclusion. The ISSO must then go backto the chart and rework it until the message is clear and is exactly whatthe ISSO wants the chart to show. Each chart should have only one spe-cific objective, and the ISSO should be able to state that objective in onesentence, such as “This chart’s objective is to show that InfoSec supportto IWC is being maintained without additional budget although the work-load has increased 13%.”

The following paragraphs identify some basic examples of InfoSecmetrics that can be collected to assist an ISSO in managing a CIAPP andbriefing the management on the CIAPP and the InfoSec organization. Bythe way, when establishing a briefing to management where the metrics


Ch09.qxd 6/7/03 4:14 PM Page 198

charts will be used, a chart similar to Figure 8.1 (as shown in Chapter 8)should be used to start off the briefing. That chart tracks the requirements(drivers) which can be traced to each function. One may also want toprovide more detailed charts tracking specific requirements to specificfunctions (Figure 9.1).

Of course, as the ISSO, you would want to get more specific and trackto a more detailed level of granularity. In fact, the InfoSec staff responsi-ble for leading a specific function should be tasked with developing thischart or charts. That way, the staff will know exactly why they are doingwhat they do. The next step would be for them to track their workflow,analyze it, and find more efficient ways to do the job. At the same timethey would also look at current costs and cost-savings as more efficientways are found to successfully accomplish their jobs.

The ISSO must remember that the use of metrics is a tool to supportmany of the ISSO’s decisions and actions; however, it is not perfect. There-fore, the ISSO must make some assumptions relative to the statistical data


Requirement-Driver•Securities Exchange Commission

•Safeguard Stockholder’s Assets

CIAPP

ISSO’s CIAPP organizational requirements

Responsibilities -Charter

ISSO Organizational Functions

•Access Controls•Disaster Recovery/Emergency Planning•InfoSec Risk Management

Figure 9.1 An example of tracing a requirement to a specific function.

Ch09.qxd 6/7/03 4:14 PM Page 199

to be collected. That’s fine. The ISSO must remember that metrics is notrocket science, only a tool to help the ISSO take better-informed actionsand make better-informed decisions. So, the ISSO should never get carriedaway with the hunt for “perfect statistics,” or become so involved inmetrics data collection that “paralysis by analysis” takes place.2

The spreadsheets and graphs used for metrics management canbecome very complicated with links to other spreadsheets, elaborate 3-Dgraphics, etc. That may work for some, but the ISSO should consider theKISS (Keep It Simple, Stupid) principle when collecting and maintainingmetrics. This is especially true if the ISSO is just getting started and hasno or very little experience with metrics. One may find that the projectleads who are developing an “automated statistical collection” applicationare expending more hours developing the application—which never seemsto work quite right—than it would take to manually collect and calculatethe statistical information.

It is also important, from a managerial viewpoint, that all charts, sta-tistics, and spreadsheets be done in a standard format. This is necessaryso that they can be ready at all times for reviews and briefings to uppermanagement. This standard is indicative of a professional organization andone that is operating as a focused team.

ISSOs who are new to the ISSO position, or management in general,may think that this is somewhat ridiculous. After all, what difference doesit make as long as the information is as accurate as possible and providesthe necessary information? This may be correct, but in the business envi-ronment, standards, consistency, and indications of teaming are always aconcern of management. Your charts are indicative of those things.

The ISSO has a hard enough job getting and maintaining managementsupport. The job should not be made more difficult than it has to be.

Another negative impact of nonconformance of format will be thatthe attendees will discuss the charts and not the information on them.Once “nonconformance to briefing charts standards” is discussed, man-agement has already formed a negative bias. Thus, anything presented willmake it more difficult to get the point across, gain the decision desired,and meet the established objective of the briefing.

It is better just to follow the established standards than to argue theirvalidity. It is better to save energy for arguing for those things that are moreimportant. After all, one can’t win, and the ISSO does not want to be seenas “a non-team player” more than necessary.

Of course the number, type, collection methods, etc., that the ISSOwill use will be dependent on the environment and the ISSO’s ability tocost-effectively collect and maintain the metrics.


2 Dr. Kovacich had used approximately 47 metrics charts at various times to assist in managing several large CIAPPs and InfoSec organizations.

Ch09.qxd 6/7/03 4:14 PM Page 200

METRICS 1: INFOSEC LOE DRIVERS—NUMBER OF USERS

There are two basic InfoSec LOE drivers within an organization, that is,those things that cause the InfoSec workload to be what it is, increasingor decreasing. The two basic drivers are:

• The number of systems which fall under the purview of the CIAPPand ISSO’s overall responsibility for protection; and

• The number of users of those systems.

A question that must be asked is: Why are these metrics worth track-ing? They are worth tracking because they drive the InfoSec workload—the LOE—which means they drive the number of hours that the InfoSecstaff must expend in meeting their InfoSec responsibilities relative to thosesystems and users.

As the number of users on IWC networks changes or the number ofsystems changes, so does the workload; therefore, so does the number ofstaff required and the amount of budget required—time to do the job. Forexample, assume that IWC is downsizing—a common occurrence, whichISSOs will eventually face in their InfoSec careers. If the ISSO knows thatIWC will downsize its workforce by 10%, and assuming that the work-force all use computers, which is not unusual in today’s corporations, theworkload should also decrease about 10%. This may cause the ISSO toalso downsize (lay off staff) by approximately 10%.

However, the downsizing, whether it is more or less than the IWCaverage, should be based on the related InfoSec workload. The InfoSecdrivers are metrics that can help the ISSO determine the impact of the IWCdownsizing on the CIAPP and InfoSec organization. The metrics associ-ated with that effort can also justify downsizing decisions to IWC man-agement—to include possibly downsizing by 5% or 12% instead of 10%.For example, more layoffs may mean more CIAPP-related infractions,which means an increase in noncompliance inquiries, and thus an increasein the workload. Massive layoffs would also mean more work for thosewho are responsible for deaccessing employees from the systems prior toemployment terminations. The metrics can show this work increase andmake a case to management for not laying off InfoSec staff until after theother major layoffs have occurred.

Charting LOE through Number of System Users

As an ISSO, you decided that it would be a good idea to use the driver’smetric that is used for tracking the number of system users. You have gonethrough the analytical process to make that decision based on answeringthe why, what, how, when, who, and where questions.


Ch09.qxd 6/7/03 4:14 PM Page 201

Why Should These Statistics Be Collected?

The driver’s metric which tracks the number of system users for which theISSO has InfoSec responsibility is used to assist in detailing the neededhead-count budget for supporting those users. As an example, the follow-ing functions are charted based on the number of IWC system users (Figure 9.2):

• Access control violations;• Noncompliance inquiries; and• Awareness briefings.

What Specific Statistics Will Be Collected?

• Total users by location and systems; and• Total systems by location and type.

How Will These Statistics Be Collected?

• The total number of users will be determined by totaling the numberof userid’s on each network system and adding to it the number ofstandalone systems. It is assumed that each standalone system hasonly one user.

• Standalone microcomputers and networked systems (which willcount as one system) will be identified and totaled using the


Total Users of IWC Networks World-Wide - 2002

0

5000

10000

15000

20000

25000

30000

1st Q

tr

2nd

Qtr

3rd

Qtr

4th

Qtr

USAsiaEurope

• Number of users increasing atall locations

• Average increase in users per quarter is 11%

• Number of access violationshave increased at a rate of 13%

• Number of awareness briefings have increased at a rate of 10%

• Number of non-compliance inquiries have increased at a rate of 17%

• No increase in InfoSec staff• InfoSec functional

productivity improvement kept headcount steady whilehandling increased workloadwithout a decline in service quality

Figure 9.2 Use of a metrics chart to show how the ISSO and staff are performingtheir jobs in an efficient manner without a loss of quality service and support.

Ch09.qxd 6/7/03 4:14 PM Page 202

approved system documentation on file within the InfoSec organiza-tion on the approved systems database. At IWC, all systems pro-cessing sensitive IWC information, falling within the categoriespreviously identified at IWC for identifying information by its value,must be approved by the ISSO (designated InfoSec staff members).Therefore, data collection is available through InfoSec organization’srecords.

When Will These Statistics Be Collected?

The statistics will be compiled on the first business day of each month andincorporated into the Metrics 1, InfoSec Drivers graph, maintained on theInfoSec department’s administrative microcomputer.

Who Will Collect These Statistics?

The statistics will be collected, inputted, and maintained by the projectleaders responsible for each InfoSec function, such as system accesses andsystem approvals.

Where (at What Point in the Function’s Process) Will TheseStatistics Be Collected?

The collection of statistics will be based on the information available andon file in the InfoSec organization through close of business on the lastbusiness day of the month.

Of course the number of system users affects all InfoSec functions;however, Figure 9.2 is just an example of how the ISSO may want to depictthe InfoSec workload. Follow-on charts would show the workload relativeto the other InfoSec functions that are affected. The bold fonts are used tohighlight important facts that the ISSO wants to emphasize—manage-ment’s eyes are naturally drawn to bold fonts.

Significance of the System Users Chart

The number of system users is also a driver of InfoSec workload becausethe InfoSec functions’ level of effort (LOE) and some projects are based onthe number of users. They include the following:

• The InfoSec staff provides access controls for users;• The number of noncompliance inquiries will probably increase based

on the increased number of users;• The number of noncompliance inquiries may actually increase when

IWC downsizes because of more hostility among the employees (ametrics charts showing caseload may help in defending ISSO staff


Ch09.qxd 6/7/03 4:14 PM Page 203

from more drastic layoffs than may have been required by management);

• The time to review audit trail records will increase as a result of moreactivity because of more users; and

• The number of awareness briefings and processing of additionalawareness material will increase as a result of an increase in users.

Remember that as an ISSO you are also an InfoSec “salesperson” andmust effectively advertise and market information and systems protectionto IWC personnel. The chart noted in Figure 9.2 and similar charts can beused by the ISSO for the following:

• Justify the need for more budget and other resources;• Indicate that the CIAPP is operating more efficiently because the

budget and other resources have not increased although the numberof systems has increased; and

• Help justify why budget and other resources cannot be decreased.

The “Total Users of IWC Networks World-Wide—2002” chart (Figure9.2) is one of many that can be used to brief management on systems’ users,and also for the ISSO to use internally to manage the InfoSec organization.A similar chart (Figure 9.3), related to Figure 9.2 and showing InfoSec LOEsystems, is also useful for briefing management,for example, on head countand budget matters.

When deciding to develop metrics charts to track workload, effi-ciency, costs, etc., of that function, always start at the highest level andthen develop charts at lower levels (in more detail) that support the overall


Total Number of IWC Systems World-Wide - 2002

0

500

1000

1500

2000

2500

3000

1st

Qtr

2nd

Qtr

3rd

Qtr

4th

Qtr

USAAsiaEurope

• Number of systems increasingat all locations at average of8.5%

• InfoSec workload increasing ata rate of 2.3%

• Non-Compliance Inquiriesincreasing at a rate of .17%

• InfoSec manpower remainsthe same due to productivitygains with no decrease ion quality of service.

Figure 9.3 The number of IWC systems, a main InfoSec budget driver.

Ch09.qxd 6/7/03 4:14 PM Page 204

chart. This is done for several purposes. The ISSO may have limited timeto brief a specific audience, and if it is an executive management briefing,the time will be shorter, as usually their attention span is short when itcomes to InfoSec matters. So, the “top-down” approach will probably workbest. If you have time to brief in more detail, the charts are available. Ifexecutive management has a question relative to some level of detail, thenthe other charts can be used to support the ISSO statements and/or posi-tion in reply to the question of the audience. Other systems’ users-relatedcharts flow from the main chart (Figure 9.4).

Granting Users Access to Systems

A major InfoSec service and support function is to add new users tosystems and to provide them new access privileges as directed by theirmanagement and information owners.

As part of that service and support effort, the ISSO wants to ensurethat these users are given access as quickly as possible, because withouttheir access or new access privileges, the users cannot perform their jobs.

If users cannot gain expeditious access, then the CIAPP is costingIWC in terms of lost productivity of IWC employees or even possibly lostrevenue in other forms.


Time to Access User to System

IWC Systems’ Users

USA Asia Europe

Systems UserBreakdown

New Users New User Privileges User Terminations Automatic & Manual Revocations to Systems

Forgot password System Inactivity Human Error Lack of System KnowledgeNon-Compliance Inquiry

Media Control ViolationSystem Access Violation Database Access Violation Usage Violation

Time to Access User to New Files

Figure 9.4 The flow of metrics charts related to the system users chart (Figure9.2). Each box identifies a potential additional metric chart.

Ch09.qxd 6/7/03 4:14 PM Page 205

The ISSO, in coordination with the InfoSec staff responsible for theaccess control function, evaluated the access control process and deter-mined that users should be given access within 24 hours of receipt of arequest from management.

The ISSO decided to track this process because of its high visibility.Nothing can damage the reputation of the ISSO and staff faster than ahostile manager whose employees cannot get systems access to be able todo their work, leading, for example, to increased costs due to lost depart-ment productivity caused by the slowness of accessing employees tosystems. In order to develop a metrics chart, one should first create a flow-chart of the function. Then the ISSO can identify statistical collectionpoints for metrics management charts (Figure 9.4).

Anything worth doing does not have to be done perfectly—at first.—KenBlanchard

EXAMPLES OF OTHER METRICS CHARTS

There are numerous metrics charts that can be developed to support thevarious needs of the ISSO. The following are examples of some of thosecharts.3

The ISSO may also use this information when budget cuts arerequired. The chart can be shown to management and modified to showwhat would happen if the staff were cut one person, two people, etc. Inother words, the average users’ initial access to systems in terms of turn-around time would increase. Management may or may not want to livewith those consequences. The cost can be quantified by taking the averagehourly wage of the employee, identifying how much productivity time islost with access coming within 1 business day, and comparing that to timelost if access, because an access control person has been laid off, takes 2business days.

For example, an employee earns $15 an hour. The employee showsup at the desk of an access controller at the start of the business day, 8A.M. That employee is authorized system access by 8 A.M. the next day.This loss of at least 8 hours of productivity at $15 an hour would be thenormal cost of the InfoSec function of access control, or $120 peremployee. However, if the access were not authorized until the day after,the costs per employee would be $240.

The chart can show the ISSO where staff cuts can be made and stillmeet the expected goals. The ISSO can also use this information when


3 The reader should try developing other metrics charts and also, using the examples, determine how they could be used to support ISSO requirements; to determine successesand failures of the CIAPP; and to support briefings.

1

Ch09.qxd 6/7/03 4:14 PM Page 206

deciding to reallocate resources (transfer a person) to another functionwhere the goals are not being met, and where the fastest way to meet thegoal is to add head count. A word of caution here—adding or decreasinghead count is usually considered a fast, simple solution. However, it is notalways the answer.

Sometimes when the numbers look right the decision is still wrong!—KenBlanchard and Norman Vincent Peale

Many project leaders and ISSOs have found over the years that pro-jects and level-of-effort problems are not always solved by assigning morebodies to solving the problem. One should first look at the process and at systemic problems. This is usually a more cost-effective approach tosolving these types of problems. For example, using the example of thenewly hired employee getting first-time system access, suppose a way wasfound to cut that time down to 1 hour. The costs saving would be fromthe normal $120 to $15, or a saving of $105 per new employee. Such chartscan be used for management briefings and will show specifically how theISSO and staff are lowering InfoSec costs, at least for that particularInfoSec function.

Samples of Noncompliance Inquiry Charts

Examples of this kind of chart are given in Figures 9.5 through 9.7.4 Thesecharts typically show infractions by individual departments (Figure 9.7).That means each department’s vice president will internally compare hisor her department against the others, thereby causing a covert competitionto begin. Vice presidents do not want their departments to look bad, andbecause of their competitive nature, the vice-presidents will push to havea “zero” for each month. Each will want to know exactly what the indi-vidual NCIs were for. The ISSO must be prepared to answer them—usingindividual charts per department. Is this a lot of work? Yes. However, thebenefits are that each department’s vice-president will be pushing to havezero noncompliance inquiries conducted, which means the vice presidentswill be overt supporters of the CIAPP and will push their staff to followthe CIAPP.

It also often leads to the ISSO joining the staff meetings of the departments’ vice presidents and presenting the individual analyses ofeach department and sub-department. The ISSO should also then be in aposition to explain what can be done to minimize these infractions, as wellas minimize the loss of productivity, and thus dollars, caused by each


4 Although these and all charts are published in this book in black and white, it is assumedthat the ISSO’s charts would be in color.

Ch09.qxd 6/7/03 4:14 PM Page 207


Non-Compliance Inquiries - 2002

0

5

10

15

20

25

Series1 12 7 2 1 9 5 3 16 21 4 6 3

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Figure 9.5 The total number of noncompliance inquiries conducted by month forthe year 2002.

0

5

10

15

20

25


Access

Output

Media Control

Usage

Dept. InfoSec Proc.

Total

Figure 9.6 The total number of noncompliance inquiries conducted by type forthe year 2002.

Ch09.qxd 6/7/03 4:15 PM Page 208

infraction. Showing the cost in lost productivity in hours per noncompli-ance inquiry will have a major impact on the staff. This can then also belinked to losses in terms of budget using an average IWC salary or hourlywage, which can often be gotten from the Finance or Human Relationsstaff.

The ISSO should also take to these briefings one or more of theInfoSec staff who have some responsibility for the information presented.This lets the staff members see how their work affects IWC departmentpersonnel. It also helps them become part of the entire process of workingthe InfoSec issues—and it is an opportunity for the ISSO to show confi-dence and support for InfoSec staff. By no means should they be used asa scapegoat or allowed to be the target of abuse by managers defensivelyrationalizing that a noncompliance inquiry was groundless, should nothave been conducted, or the like. The ISSO should at all times take theblame and give the credit to InfoSec staff members. Furthermore, the ISSOmust keep the focus of the meeting on the material being briefed and mustdiscuss the numbers. The meeting should never be allowed to become a“finger-pointing” and inquiring report critique. This is not often easy to doas the department managers try to defend themselves. The meeting objec-tive and ground rules for discussion should be stated in advance by theISSO if the vice president does not so state.


0

5

10

15

20

25

A B C D E F G H I J K

Feb

Year

Figure 9.7 The total number of noncompliance inquiries conducted by each IWCdepartment for the month of February, and the total of all departments for theperiod January and February 2002.

Ch09.qxd 6/7/03 4:15 PM Page 209

The primary use of a chart like the one in Figure 9.8 is for the ISSO to understand the workload of one of the InfoSec functions. Bylooking at the number of inquiries opened, closed, and pending per month,the ISSO can, for example, determine whether the staff member conduct-ing the inquiry requires additional staff support. The turnaround time ofthese inquiries is important—the sooner an inquiry is completed, thesooner, the employee’s manager, in concert with IWC Human relationsstaff, can take whatever action is deemed appropriate. This is crucial if theperson may be subject to termination or if the employee’s system accesshad been suspended pending completion of the inquiry and the adjudica-tion process.

As with all metrics charts, a decision must also be made whether tocollect the data monthly, quarterly, semiannually, annually, or somewherein between. The time period will depend on several factors. These include,but are not limited to:

• What they will be used for, such as monthly or annual executive briefings;

• Budget justifications;• InfoSec staff functions resource allocations, and• The objectives of each chart.


0%

20%

40%

60%

80%

100%


Pending

Closed

Opened

Figure 9.8 The total number of noncompliance inquiries opened per month,closed per month, and pending per month.

Ch09.qxd 6/7/03 4:15 PM Page 210

A subchart of this chart may be the average time spent per type of inquiry (Figure 9.9). Once the time elements are known, they can beequated to productivity gains and losses, as well as budget, such as money,equipment, and staff.

InfoSec Tests and Evaluations

The ISSO decides to establish a process that will provide guidelines onthe need, establishment, and implementation of metrics charts. The ISSOuses an InfoSec function to develop the process—the methodology—withthe following results:

• IWC InfoSec will conduct security tests and evaluations (ST&E) asprescribed by IWC InfoSec policies and procedures.

• Results of IWC InfoSec ST&E will be charted.• Each chart will be evaluated to determine whether a pattern/trend

exists.• Patterns/trends will be evaluated to determine how effectively a func-

tion is being performed• Results and recommendations will be presented, in accordance with

InfoSec policies and procedures, to the applicable managers.


0

5

10

15

20

25


Series1

Figure 9.9 The average time spent in hours per noncompliance inquiry.

Ch09.qxd 6/7/03 4:15 PM Page 211

Another InfoSec function that provides opportunities for usingmetrics management techniques is the function of InfoSec ST&E. Thecharts in Figures 9.10 through 9.12 are samples of metrics managementcharts that may be of use to an ISSO.5

Figure 9.10 is a useful chart in that it shows an increase in workloadover time that can be compared with staffing for that function over time.The ISSO may consider a reallocation of staff because of the increasedworkload. Also to be considered is whether or not to change the ST&Eprocess. One consideration is to conduct fewer ST&Es. If one does that, itwould be important to monitor the number of noncompliance inquiries,as they may go up. For example, fewer ST&Es may result in increasedsystems vulnerabilities, which may in turn lead to more successful attacks,and thus to more noncompliance inquiries. Another factor the ISSO mayconsider is doing more ST&Es using automated InfoSec software to replacesome currently manual testing.

One can also consider providing training to IWC department staff sothey can do their own ST&Es and provide reports to the ISSO. This isusually not a good idea, as the objectivity of the testing may be question-


0

10

20

30

40

50

60

70

80


2000

2001

2002

Figure 9.10 The total number of ST&Es conducted over the past 3 years.

5 For those readers trying to match numbers between charts and subcharts, you might as wellknow now that the numbers for each chart are arbitrarily assigned and do not reflect anyconsistency throughout. They are given as samples only. If you are looking for “real”numbers, you are missing the point of this chapter—the process and thinking behind metricsmanagement of InfoSec functions.

Ch09.qxd 6/7/03 4:15 PM Page 212

able. For example, they may find vulnerabilities but not report them,because they do not want to incur the costs in time and budget to mitigatethe risks identified by these vulnerabilities. In addition, as far the IWC asa whole is concerned, one is only passing on the costs in terms of alloca-tion of resources to conduct the ST&Es to another department and notdecreasing overall IWC CIAPP costs.

Remember that IWC is a global corporation with plants and officeson three continents. Since the ISSO has overall CIAPP and InfoSec functional responsibility for all locations, a process must be put in placefor metrics management at all locations. The CIAPP-InfoSec functionalleads at all the locations would provide the statistics and charts for theirlocations (Figure 9.11).

These statistics would be indicators in establishing InfoSec func-tional resource allocations based on the “worst” locations (Figure 9.12).

The issue that will often come up when designing charts is what typeof charts to use—bar, line, pie, etc. The choice should be to use the formatthat meets the chart’s objective in the most concise and clear way.

An ISSO sometimes comes across numbers that are out of balancewith each other, e.g. 135 satisfactory ST&E ratings, 13 marginal. If the chart


Asia

Europe

USA

Figure 9.11 The number of ST&Es conducted per location in 2002.

Ch09.qxd 6/7/03 4:15 PM Page 213

chosen were a line chart or a bar chart, the smaller number would so dwarfed as to be unreadable. In this case, the pie chart may be the solution.

The other solution may be to label each point in the chart with itsnumber. For example, the bar or line designating 13 marginal ratingswould have the number 13 over that point in the chart. This may give the perception that the marginal ratings were somewhat meaningless.However, as an ISSO, you are aware that is not the case, and in fact, indi-cates increased vulnerabilities to successful attack on those systems. Thepie chart, on the other hand, shows that the number is small, but it at leastappears large on the graph. The audience will see that number as being atleast more significant than the same number shown on a line or bar chart.

InfoSec Education and Awareness Training

The CIAPP’s InfoSec Education and Awareness Training Program (EATP)is one of the major baselines of the CIAPP. It follows that it is an integralpart of the ISSO’s InfoSec organization. It doesn’t matter whether briefings,


Outstanding

Satisfactory

Marginal

Unsatisfactory

Figure 9.12 The ratings (Outstanding, Satisfactory, Marginal, Unsatisfactory) ofST&Es conducted within the corporate office in the year 2002 by department.

Ch09.qxd 6/7/03 4:15 PM Page 214

training and such are given by an InfoSec staff member, the IWC TrainingOffice, the Director of Security’s security training personnel, HumanResources new-hire briefings, or a combination of any of these organiza-tions. It is a CIAPP, and therefore an InfoSec cost, and it should be metrics-managed.

For the purposes of this chapter on metrics management, let usassume that one of the ISSO’s InfoSec staff is responsible for the EATP. Atleast two major metrics charts should be maintained (Figures 9.13 and9.14).

Let’s assume that to be somewhat cost-effective, the goal is to have atleast 15 employees on average attend each briefing. That being the case,this metrics chart or another like it would show not only the number ofbriefings and the total attendees, but also the average number of attendeesper briefing. In addition, a straight line could be included at 15 so that theaverage attendees per briefing can easily be compared against the goal of15 employees per briefing. Lost? OK, let make it easy. See Figure 9.14.

If the goal was not being reached, as the ISSO, you might want todiscuss the matter with your InfoSec leader for the EATP. Certainly if thegoal is not being met, you can’t and obviously shouldn’t ignore it. Thereis nothing worse than setting a goal, metrics managing to attain that goal,and then ignoring it when it is not being met. Furthermore, as an ISSOyou shouldn’t just wait until the end of the year to attempt to correct the


0

10

20

30

40

50

60

70

80

90

100


Briefings

Persons Briefed

Figure 9.13 The number of briefings given and the number of personnel per briefing.

Ch09.qxd 6/7/03 4:15 PM 5


0

5

10

15

20

25

30

35


Goal

Average number of attendees

Figure 9.14 The average number of attendees per SEATP briefing measuredagainst the goal of at least 15 personnel per briefing.

matter in discussion with your EATP lead, and then zap that person intheir year-end performance evaluation.

Let us assume that employees must attend an annual briefing relativeto the CIAPP and their duties and responsibilities. Assume that theyprepare to attend the briefing and walk to the briefing room, and that ittakes 15 minutes. They attend a 1-hour briefing and return to their placeof work for a total time of 90 minutes. At an average employment rate of$15 per hour, each employee’s time (and lost productivity, since they arenot performing the work for which they were hired) for the annual brief-ing is $22.50. Let’s also suppose that IWC employs 100,000 people world-wide and all of them must attend the annual briefing. That means that theannual briefing program, excluding the time the InfoSec specialist takes inpreparing the updated material each year and other expenses, costs anastounding $2,250,000!

Figure 9.15 shows one type of category; however, there are others.For example, the ISSO may want to track the number of personnel briefedby such categories as InfoSec systems custodians, general users, subcon-tractors, Asian offices, European office, and U.S. offices.

One can argue that the briefings are necessary, they save money inthe long run because valuable IWC is protected, and all that. However, thatdoes not change the fact that this is a rather costly program. In fact, thereis no indication that the cost–benefits have ever been validated. Yet, every

Ch09.qxd 6/7/03 4:15 PM Page 216

ISSO knows that employee awareness of the threats, vulnerabilities, andrisks to information and information systems is an absolute necessity. So,what can be done to lower the cost of such a program?

Using the project team approach the ISSO should establish a projectteam to look at the costs, benefits, and risks of not having an annual brief-ing and other methods for providing awareness to employees. Possibly theuse of e-mails, online briefings, and other electronic means could elimi-nate the need for the employees to physically attend a briefing. Possiblybriefings could be eliminated or online bulletins used.

Cost Avoidance Metrics.

As an ISSO, you may want to use the metrics management approach to beable to quantify the savings of some of your decisions. For example, whenanalyzing your budget and expenditures, you note that a major budget itemis travel costs for your staff. This is logical, because staff, as well as you, must travel to the various IWC offices to conduct InfoSec tests and evaluations.

Again, using the project management approach, you lead a projectteam of yourself, staff members, and a representative from the Contract


0

500

1000

1500

2000

2500

3000

3500

4000

A B C D E F G H I J K

$$$$ Cost

Year

Figure 9.15 The number of personnel briefed by IWC departments and the costsof the briefings in each department, such as lost productivity equated to dollars oftime.

Ch09.qxd 6/7/03 4:15 PM Page 217

Office and Travel Office. Your goal is to find ways to cut travel costs whilestill meeting all the CIAPP and your charter responsibilities. A represen-tative from the Contract Office will advise the project team on contractualobligations and way in which they can be met with less travel, but withoutviolating the terms of the contracts. The Travel Office will give advice onways to cut travel costs. For example, because many trips are known wellin advance, flights and hotels can also be booked in advance.

The project team came up with some valid changes in the processesthe InfoSec staff uses as part of their travel budget. Figure 9.16 was devel-oped to track the savings based on the process changes.

Metrics Management and Downsizing

All ISSOs at one time or another in their careers face the need to downsiz—that is, lay off, fire, or terminate—InfoSec staff. However, if you are oper-ating at peak efficiency and have not built any excess staff into meetingyour charter responsibilities, you may be able to make a case for not terminating staff, or terminating fewer personnel.

Many managers, and ISSOs are no exception, tend to forget that theyare hired to do a job, and that job is not to build an “empire” or bureau-cracy. The key to success is getting the job done efficiently and effec-


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


Actual-$$$$

Avoidance-$$$$

Figure 9.16 The costs and cost avoidance of InfoSec staff travel.

Ch09.qxd 6/7/03 4:15 PM Page 218

tively—as we said before, good and cheap. Besides, the more staff membersand the larger the budget you have, the more people problems you willhave and the harder the financial people will try to take some of yourbudget. So you are constantly battling to maintain your large budget.

If, on the other hand, you have a small staff and a smaller budget,you have a better chance of protecting what you have, because it is theminimum needed to get the job done. That approach coupled with metricsmanagement techniques and periodic briefings to executive managementwill help you continue to get the job done as you deem appropriate, eventhough other organizations are losing staff.

Let’s look at some figures showing various ways of presenting infor-mation based on metrics management’s data collection efforts:

The LOE versus project support chart in Figure 9.17 clearly showsthat the InfoSec organization has been supporting the projects of other IWCdepartments and that the workload is not “nice-to-have” projects. Theseare projects that require the support of the ISSO and InfoSec staff. It alsoshows that the ISSO and staff are an integral part of major IWC projectsand are functioning as part of their service and support duties.

Taking this chart as an example, similar charts can then be developedusing the same template but showing the workload per function versusbudgeted hours for each function, such as SEATP and ST&E.


0

500

1000

1500

2000

2500

3000

3500

1 2 3 4 5

Level of Effort

Resources Available

Figure 9.17 A 5-year period tracking the level of effort in hours of work of theInfoSec staff per year, per individual, compared to the hours of work that must beaccomplished to support the IWC departments.

Ch09.qxd 6/7/03 4:15 PM Page 219

Another chart that is important for briefing management is one thatshows the LOE versus the hours available for the InfoSec staff (Figure9.18). The difference between LOE and time available can be shown to bepart of a briefing on work backlog or used to show the difference is over-time being worked. A subchart may show details on the amount of backlogand its impact on the cost of doing business. It can also show the over-time costs being paid, and perhaps a comparison of that cost with the costof hiring one or more additional staff. Seeing this comparison would helpin making decisions as to which is cheaper, paying overtime or hiring morestaff.

These charts must also be accompanied by others showing pro-ductivity and drivers of workload, as in some of the charts shown earlier.This is necessary because management will ask why you must do thethings you do, and why must you do them in the way you are doing them.This quest for productivity and efficiency gains will be a constant chorefor the ISSO. It is a challenge, but one that can be supported by metricscharts.

Layoffs are a fact of life in business, and metrics charts can help theISSO justify head count and work, as shown by some of these charts. Othercharts may also help, such as that shown in Figure 9.19. The chart canshow measurement in terms of head count or hours that are equivalent tohead count.


0

500

1000

1500

2000

2500

3000

3500

1998 1999 2000 2001 2002

Level of Effort

Resources Available

Level of Effort Versus Resources Available (In Hours)

Increased LOE due to:

•Automating factories

•Global expansion ofoffices

•Adding secure links

•Increased number ofusers (29%)

•Increased number ofsystems (37%)

•Migration of systems

•Second Intranet

•New contract tosupport

•Support of 63 ITprojects

Figure 9.18 The LOE versus the hours available to do the work.

Ch09.qxd 6/7/03 4:15 PM Page 220

Generally, when management decides to cut costs, they lay off em-ployees as the easiest method. They also usually direct each manager to cut a certain percentage of staff, say, 20%. However, although this maythe easiest way, it is not the best way; sometimes it would be cheaper tokeep some of the staff, because their loss caused delays costing millionsof dollars worth of production, sales, etc. As we all know, executive man-agement often takes a short-term, “what’s in it for me now” approach tomanaging their parts of the business.

Metrics management can help the ISSO plead the case to not cut 20%of staff. One word of caution: The ISSO should do this objectively andbased on providing effective and efficient service and support to the IWCdepartments. It should never, ever be based on keeping a large staff andbureaucracy for the sake of status, power, ego, or other nonbusinessreasons.

Along with the chart shown in Figure 9.19, the ISSO would includeinformation relative to the impact of both IWC’s directed layoff numbersand those of the ISSO. This must be objectively done based on a businessrationale. This information would include the following, identified asincreasing the level of risks to information and information systems:

• Contingency planning: Contingency, emergency, and disaster recov-ery testing and plan updates will be delayed. The result will be any-


0 0.5 1 1.5 2 2.5

Access Control

Non-Compliance Inquiries

Access Violations Analyses

Awareness Program

Contingency Planning

ISSO;s Proposed Layoff

IWC's Layoff

Figure 9.19 Comparison of IWC executive management requested layoff versus acounterproposal by the ISSO.

Ch09.qxd 6/7/03 4:15 PM Page 221

thing from no impact to not being able to effectively and efficientlydeal with an emergency.

• Awareness program: Employees may not be aware of their responsi-bilities, thus leaving the systems open to potential attack or anincrease in the potential of the loss of sensitive information.

• Access violations analyses: There will be delays of between 48 and72 hours in the analyses of audit records. Thus, an attack against IWCsystems would not be known for at least 48–72 hours. During that period, information could be stolen. However, something like a denial of service attack would be known when it was successful.The opportunity to identify the initial attempts at these attacks overa period of time would be lost, and with it the chance to mountdefenses before the attacks were successful. The result will besystems, possibly production systems, that are down for an unknownperiod of time.

• Noncompliance inquiries: The average time it would take to completean inquiry would increase by more than 2 weeks. Thus, no action toadjudicate the alleged infraction would be possible until the reportwas delivered to management. Furthermore, the alleged infractionmay have called for the revocation of system privileges of theemployee or employees who are the subject of the inquiry. Thus, theirability to be productive employees during that time would benegated.

• Access control: It is assumed that the number of new employees hiredwould be drastically reduced, and that could mitigate some of thelevel of effort expended by the access controllers. However, employ-ees requiring changes in privilege would have those access changesdelayed an additional 48–72 hours from the present average of 8–12hours. This may adversely affect their productivity. To allow depart-ments to do their own employees’ privilege changes was evaluatedunder a previous project and found to not be realistic: The informa-tion to which the employees needed access did not belong to thatdepartment; most often it belonged to another information owner.These information owners did not want others to access their information without their approval. In addition, this change wouldjust a transferring of costs and would not save IWC any additionalresources.

The foregoing is a small example of how metric management tech-niques can be used when the need for budget cuts occurs. The exampleprovides some insight into how metric management techniques help mitigate the risks of budget and staff downsizing when such downsizingwill hurt the CIAPP and IWC. Metric management techniques can help theISSO make a case to executive management. Furthermore, if the ISSO, sup-ported by the metric management approach, has been periodically brief-


Ch09.qxd 6/7/03 4:15 PM Page 222

ing management of the CIAPP and ISSO’s projects and level of effort, theISSO will have gained the confidence of management as a reliable managerwho gets the job done as efficiently and effectively as possible.

PROJECT MANAGEMENT

As previously discussed, there are two basic types of work performed bythe ISSO and staff: (1) level of effort (LOE) and (2) projects. We have dis-cussed LOE and have provided some examples of process and metricsflowcharts relative to LOE.

It has been stated several times, but bears repeating: Projects areestablished where some tasks related to the CIAPP and/or InfoSec func-tions must be completed but they are not ongoing tasks. It is imperativethat the ISSO be intimately familiar with and experienced in project management—as well as time management.

Remember that whether or not some task should be a project dependson whether it has the following:

• A stated objective (generally in one clear, concise and complete sentence);

• A beginning date;• An ending date;• Specific tasks to be performed to successfully meet that objective;• A project leader; and• Specific personnel to complete each task and the time period when

the task will be completed.

Let’s assume that the CIO sent a memo to the ISSO based on a conversation that the CIO had with the Director of IT. It seems that theyhad a meeting and during the meeting the discussion turned to IT projectsrelated to their projects of upgrading systems, such as hardware, software,and their general maintenance. The CIAPP policy called for such upgradesand maintenance efforts to ensure that the information environment ismaintained in compliance with the requirements set forth in the CIAPP.The Director stated that the IT staff didn’t know if that was always the casewhen they made changes to systems. Consequently, the Director suggestedthat members of the ISSO’s organization be part of the IT project teamswith responsibility for determining whether the changes kept IWC’s infor-mation environment secure. The CIO agreed and sent the ISSO a letter tothat effect. When the ISSO received the memo, the ISSO discussed thematter with the Senior Systems Security Engineer. It was decided that aproject be developed in order to establish a process and function to complywith the request from the CIO and Director of IT.


Ch09.qxd 6/7/03 4:15 PM Page 223

As an ISSO, you should be able to identify several issues that theISSO must resolve apart from initiating this project. First, the Director ofIT and the ISSO should be working closely together, and by doing so, theycould have dealt with this matter without involving their boss, the CIO.In addition, the fact that the CIO sent a memo to the ISSO, instead ofcalling or meeting personally with the ISSO, indicates that the communi-cation and working relationship between the CIO and ISSO must beimproved. The ISSO must take action to immediately begin improving thecommunication and relationship with the Director and CIO.

That aside, using Figure 9.20 as an example, let’s develop a projectand fill in the blanks for major portions of the chart:

• SUBJECT: The project name: Security Test & Evaluation FunctionDevelopment

• RESPONSIBILITY: The name of the project leader: John Doe, InfoSecSenior Systems Security Engineer.

• ACTION ITEM: What is to be accomplished:. IT requires ISSOsupport to ensure that information and systems protection are integrated into IT systems’ integration, maintenance, and updateprocesses.


RESPONSIBILITY:

OBJECTIVE(S) RISK/STATUS:

ACTION ITEM:

REFERENCES :

8

9

10

PAGE 1 of 1

ISSUE DATE

STATUS DATE

RISK

1

2

3

4

5

6

7

RESPONS-IBILITYACTIVITY/EVENT

LVL DESCRIPTION

HIGHMEDIUMLOW

HML

Risk Level

2002Feb Mar Apr May Jun Jul

=Major

Legend Scheduled Complete

MilestoneActivityDeviation Span

SUBJECT:

xxxxxxxx

Figure 9.20 A basic project management chart that can be used to track CIAPPand InfoSec functional projects.

Ch09.qxd 6/7/03 4:15 PM Page 224

• REFERENCES: What caused this project to be initiated. For example:“See memo to ISSO from CIO, dated November 2, 2002.”

• OBJECTIVE(S): State the objective if the project: Maintain a secureinformation environment.

• RISK/STATUS: State the risk of not meeting the objective(s) of thisproject: Because of limited staffing and multiple customer projectsbeing supported, this project may experience delays as higher prior-ity LOE and projects take precedence.

• ACTIVITY/EVENT: State the tasks to be performed, such as “Meetwith IT project leads.”

• RESPONSIBILITY: Identify the person responsible for each task. Inthis case, it is the Senior Systems Security Engineer, John Doe.

• CALENDAR: The calendar could be a year-long, monthly, quarterlyor 6-month calendar with vertical lines identifying individual weeks.Using the 6-month calendar, the Project Lead and assigned projectteam members would decide what tasks had to be accomplished tomeet the objective. The arrows and diamonds identified in the legendwould be used to mark the beginning and ending dates of each task.The arrows are filled in when the task is started and when the taskis completed; the diamonds are used to show deviations from theoriginal dates.

• RISK—LVL: In this space, each task is associated with the potentialrisk that it may be delayed or cost more than allocated in the budgetfor the task. Using “High,” “Medium” or “Low” or “H,” “M” or “L,”the Project Lead, in concert with the person responsible for the task,assigns a level of risk.

• RISK—DESCRIPTION: A short description of the risk is stated in this block. If it requires a detailed explanation, that explanation is attached to the project plan. In this block the Project Lead, who isalso responsible for ensuring that the project plan is updated weekly,states “See Attachment 1.”

• ISSUE DATE: The date the project began and the chart initiated goesin this block.

• STATUS DATE: The most current project chart date is placed here.This is important because anyone looking at the project chart willknow how current the project chart is.

Other types of charts can also be developed to show project costs in terms of labor, materials, and the like. A good, automated project plansoftware program is well worth the costs for managing projects.

In the case of project charts, the ISSO uses them to brief managementrelative to the ongoing work of the InfoSec organization and states of theCIAPP. The ISSO receives weekly updates on Friday morning in a meetingwith all the ISSO’s project leaders, where each project lead is given 5minutes to explain the status of the project—for example, “The project is


Ch09.qxd 6/7/03 4:15 PM Page 225

still on schedule” or “Task ##2 will be delayed because the person assignedthe task is out sick for a week; however, it is expected that the project com-pletion date will not be delayed because of it.”

The ISSO holds an expanded staff meeting the last Friday of eachmonth. All assigned InfoSec personnel attend these meetings, which last2 to 3 hours. At these meetings, 1 hour is taken for all project leads andInfoSec functional leads to brief the status of their LOE and projects to theentire staff. The ISSO does this so that everyone in the organization knowswhat is going on—a vital communications tool. Also during this time,other matters are briefed and discussed, such as the latest risk manage-ment techniques, conferences, and training available.

QUESTIONS TO CONSIDER

Based on what you have read, consider the following questions and howyou would reply to them:

• Do you use formal metrics management techniques?• If not, why not?• If so, are they used to brief management?• Are each of your InfoSec functions documented not only in work

instructions but also in process flowcharts?• Do you use similar charts to document the InfoSec functional LOE?• What other charts would you develop for each of the ISSO functions?• Do you have at least one metrics chart to track costs of each InfoSec

function?• How would you use metrics management charts to justify your budget

requests?• How would you use metrics management charts to justify the number

of your staff?• How many charts, by function and description, would you want to

use as an ISSO?

SUMMARY

Metrics management techniques will provide a process for the ISSO tosupport InfoSec- and CIAPP-related decisions. The ISSO should under-stand the following points:

• Metrics management is an excellent method to track InfoSec func-tions related to LOE, costs, use of resources, etc.

• The information can be analyzed, and results of the analyses can beused to:


Ch09.qxd 6/7/03 4:15 PM Page 226

Identify areas where efficiency improvements are necessary;

Determine effectiveness of InfoSec functional goals;

Provide input for performance reviews of the InfoSec staff (a moreobjective approach than subjective performance reviews of today’sISSOs); as well as

Indicate where InfoSec service and support to IWC requires improve-ment, meets its goals, etc.


Ch09.qxd 6/7/03 4:15 PM Page 227

establishing a metrics management...

Documents